<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML lang="en">
<HEAD>
 <LINK rel="StyleSheet" href="../BBWin.css">
 <TITLE>Msgs</TITLE>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
 <meta name="copyright" content="Copyright &copy; 2006 by Etienne Grignon. Licenced under GPL.">
</HEAD>
<BODY>
 <H1>Msgs</H1>
<H3>Description</H3>
<p>
Msgs agent is used to monitor the Windows Event Logs. It has to be configured via rules. Its syntax is explained below.
If no rules is specified, msgs will do nothing.
</p>
<H3>Configuration</H3>
<UL>
 <LI class="OptionDirective"><b>setting</b> directive syntax :
<p>
<pre class="Config">
&lt;setting name="" value="" /&gt;
</pre>
<LI class="OptionDirective">generic settings
<p>
<table class="OptionTable" cellSpacing="0" cellPadding="0" border="1" id="table1">
	<tr>
		<td class="OptionTitle" vAlign="top" >
		name
		</td>
		<td class="OptionTitle">
		value
		</td>
	</tr>
	<tr>
		<td class="OptionValue" vAlign="top" >
		alwaysgreen
		</td>
		<td class="OptionValue" vAlign="top">
		Possible values are "true" or "false". If true, it will always send green status.
		<b>Default is false</b>.
		</td>
	</tr>
	<tr>
		<td class="OptionValue" vAlign="top" >
		checkfulleventlog
		</td>
		<td class="OptionValue" vAlign="top">
		Possible values are "true" or "false". If true, it will alert you (red color) when one of the event log 
		on the host has reached the maximum size and if its retention is set to 
		"Do not overwrite events (clear log manually)".
		<b>Default is false</b>.
		</td>
	</tr>
	<tr>
		<td class="OptionValue" vAlign="top" >
		delay
		</td>
		<td class="OptionValue" vAlign="top">
		You can set the elapsed time of the events for all rules.
		Unit is seconds. You can specify a unit after the numeric value : "m" for minutes,
		"h" for hours, "d" for days.
		<b>Default is 30 minutes</b>.
		<b>Delay has no effect on ignore rules</b>.
		</td>
	</tr>
	<tr>
		<td class="OptionValue" vAlign="top" >
		testname
		</td>
		<td class="OptionValue" vAlign="top">
		You can set the testname that will be sent to the monitoring server (column name in
		the bbdisplay)
		<b>Default is "msgs"</b></td>
	</tr>
</table>
 <LI class="OptionDirective"><b>rules</b> directive syntax :
<p>
<pre class="Config">
&lt;match logfile="" eventid="" source="" type="" value="" delay="" alarmcolor="" /&gt;
&lt;ignore logfile="" eventid="" source="" type="" value="" /&gt;
</pre>
<p>
Match and ignore rules have almost similar attributes.
You can combine the different matching attributes to improve your rules.
</p>
<p>
If the name value is not one of the generic settings, then, disk will understand that it is a disk custom rule.
</p>
<p>
<table class="OptionTable" cellSpacing="0" cellPadding="0" border="1" id="table2">
	<tr>
		<td class="OptionTitle" vAlign="top" >
		alarmcolor
		</td>
		<td class="OptionValue" vAlign="top">
		You can set the alarm color you want to use if there are matched events.
		It should be set to red or yellow.
		<b>Default is yellow</b>.
		<b>alarmcolor has no effect on ignore rules</b>.
		</td>
	</tr>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		count
		</td>
		<td class="OptionValue" vAlign="top">
		You can set a counter so you may only receive alert if several events on the same rule are matched.
		<b>Default is 0 which means that the first event matched will generate an alert.</b> count must be a positive number.
		<b>count has no effect on ignore rules</b>.
		</td>
	</tr>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		delay
		</td>
		<td class="OptionValue" vAlign="top">
		You can set the elapsed time of the events to match.
		Unit is seconds. You can specify a unit after the numeric value : "m" for minutes,
		"h" for hours, "d" for days.
		<b>Default is herited from the delay generic setting</b>.
		<b>Delay has no effect on ignore rules</b>.
	</td>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		eventid
		</td>
		<td class="OptionValue" vAlign="top">
		You can specify the eventid you want to match.
		<b>This parameter is optionnal</b><br>
	</td>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		logfile
		</td>
		<td class="OptionValue" vAlign="top">
		The logfile attribute is the log event filename. The different log files available on your computer are listed in the registry
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog
		<b>This parameter is required</b><br>
	</td>
	</tr>
		<tr>
		<td class="OptionTitle" vAlign="top" >
		priority
		</td>
		<td class="OptionValue" vAlign="top">
		You can set a priority to your rules. If an ignore rule and a match rule are conflicting, you may use the priority option to 
		resolve the conflict. Both of the conflicting rules need the priority set.
		<b>Default is 0 which means no priority is set.</b> Priority must be a positive number.
		</td>
	</tr>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		source
		</td>
		<td class="OptionValue" vAlign="top">
		You can specify the source of the event you want to match.
		<b>This parameter is optionnal</b><br>
	</td>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		type
		</td>
		<td class="OptionValue" vAlign="top">
		You can specify the event type you want to match.
		The different types are :
		<UL>
		<LI>error
		<LI>warning
		<LI>information
		<LI>success (for security eventlog only)
		<LI>failure (for security eventlog only)
		</UL>
		You may just specify the beginning of the type, it will match the all word.
		Example : type="info" will match information event type, type="err" will match error event type.
		<b>This parameter is optionnal</b><br>
	</td>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		user
		</td>
		<td class="OptionValue" vAlign="top">
		user is to match events with the user field.
		You may specify perl regular expressions in it.
		<b>This parameter is optional</b><br>
	</td>
	<tr>
		<td class="OptionTitle" vAlign="top" >
		value
		</td>
		<td class="OptionValue" vAlign="top">
		value is to match events with the description field.
		You may specify perl regular expressions in it.
		<b>This parameter is optional</b><br>
	</td>
	</tr>
</table>
</UL>
<H3>Examples</H3>
<UL>
 <LI>
<p>
<pre class="Config">
&lt;msgs&gt;
	&lt;setting name="alwaysgreen" value="false" /&gt;
	&lt;match logfile="System" type="error" delay="1h" alarmcolor="red" /&gt;
	&lt;match logfile="System" type="warning" alarmcolor="yellow" /&gt;
	&lt;match logfile="Application" type="error" delay="1h" alarmcolor="red" /&gt;
	&lt;match logfile="Application" type="warning" alarmcolor="yellow" /&gt;
	&lt;match logfile="Security" type="fail" /&gt;
	
	&lt;ignore logfile="Application" eventid="1030" /&gt;
	&lt;ignore logfile="System" source="W32Time" /&gt;
&lt;/msgs&gt;
</pre>
<LI>Summary will be sent in the footer of the report
<LI>System logfile will be check during 1 hour for error events, 30 minutes (default) for warning events
<LI>Application logfile will be check during 1 hour for error events, 30 minutes (default) for warning events
<LI>Security logfile will be check during 30 minutes (default) for fail events
<LI>Application events with eventid 1030 will be ignored
<LI>System events with source "W32Time" will be ignored
</UL>
<H3>Notes</H3>
<UL>
 <LI>Msgs can work on any eventlog that is available in the Windows Event Viewer. It is not limited to the common Application, Security 
 and System log files because it may have more than 3 events logs files. (On domain controlers for example)
</UL>
</BODY>
</HTML>
